Add CIG Policy List API support in Terraform (#15812)

Author: gomu18

mmv1/third_party/terraform/provider/provider_mmv1_resources.go.tmpl

@@ -80,6 +80,7 @@ var handwrittenDatasources = map[string]*schema.Resource{
 	"google_cloud_identity_group_memberships":          cloudidentity.DataSourceGoogleCloudIdentityGroupMemberships(),
 	"google_cloud_identity_group_transitive_memberships":  cloudidentity.DataSourceGoogleCloudIdentityGroupTransitiveMemberships(),
 	"google_cloud_identity_group_lookup":               cloudidentity.DataSourceGoogleCloudIdentityGroupLookup(),
+	"google_cloud_identity_policies":              cloudidentity.DataSourceGoogleCloudIdentityPolicies(),
 	"google_cloud_identity_policy":               cloudidentity.DataSourceGoogleCloudIdentityPolicy(),
 	"google_cloud_quotas_quota_info":                   cloudquotas.DataSourceGoogleCloudQuotasQuotaInfo(),
 	"google_cloud_quotas_quota_infos":                  cloudquotas.DataSourceGoogleCloudQuotasQuotaInfos(),

mmv1/third_party/terraform/services/cloudidentity/data_source_cloud_identity_policies.go

@@ -0,0 +1,170 @@
+package cloudidentity
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-provider-google/google/tpgresource"
+	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
+)
+
+func DataSourceGoogleCloudIdentityPolicies() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceGoogleCloudIdentityPoliciesRead,
+		Schema: map[string]*schema.Schema{
+			"filter": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: `Filter expression for listing policies, as documented in the Cloud Identity Policy API policies.list method`,
+			},
+			"policies": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: `List of Cloud Identity policies that match the filter (or all policies if no filter is provided).`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: `The resource name of the policy.`,
+						},
+						"customer": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: `The customer that the policy belongs to.`,
+						},
+						"policy_query": {
+							Type:        schema.TypeList,
+							Computed:    true,
+							Description: `The CEL query that defines which entities the policy applies to.`,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"query": {
+										Type:        schema.TypeString,
+										Computed:    true,
+										Description: "The query that defines which entities the policy applies to.",
+									},
+									"group": {
+										Type:        schema.TypeString,
+										Computed:    true,
+										Description: "The group that the policy applies to.",
+									},
+									"org_unit": {
+										Type:        schema.TypeString,
+										Computed:    true,
+										Description: "The org unit that the policy applies to.",
+									},
+									"sort_order": {
+										Type:        schema.TypeFloat,
+										Computed:    true,
+										Description: "The sort order of the policy.",
+									},
+								},
+							},
+						},
+						"setting": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: `The setting configured by this policy.`,
+						},
+						"type": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: `The type of the policy.`,
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func dataSourceGoogleCloudIdentityPoliciesRead(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*transport_tpg.Config)
+	userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
+	if err != nil {
+		return err
+	}
+
+	policiesListCall := config.NewCloudIdentityClient(userAgent).Policies.List()
+
+	if filter, ok := d.GetOk("filter"); ok {
+		policiesListCall = policiesListCall.Filter(filter.(string))
+	}
+
+	if config.UserProjectOverride {
+		billingProject := ""
+		// err may be nil - project isn't required for this resource
+		if project, err := tpgresource.GetProject(d, config); err == nil {
+			billingProject = project
+		}
+
+		// err == nil indicates that the billing_project value was found
+		if bp, err := tpgresource.GetBillingProject(d, config); err == nil {
+			billingProject = bp
+		}
+
+		if billingProject != "" {
+			policiesListCall.Header().Set("X-Goog-User-Project", billingProject)
+		}
+	}
+
+	var allPolicies []map[string]interface{}
+
+	for {
+		resp, err := policiesListCall.Do()
+		if err != nil {
+			return transport_tpg.HandleDataSourceNotFoundError(err, d, "CloudIdentityListPolicies", "Policies")
+		}
+
+		if resp.Policies != nil {
+			for _, p := range resp.Policies {
+				policyMap := map[string]interface{}{
+					"name":     p.Name,
+					"customer": p.Customer,
+				}
+
+				if p.PolicyQuery != nil {
+					pq := map[string]interface{}{
+						"query":      p.PolicyQuery.Query,
+						"group":      p.PolicyQuery.Group,
+						"org_unit":   p.PolicyQuery.OrgUnit,
+						"sort_order": p.PolicyQuery.SortOrder,
+					}
+					policyMap["policy_query"] = []interface{}{pq}
+				}
+
+				if p.Setting != nil {
+					settingBytes, err := json.Marshal(p.Setting)
+					if err != nil {
+						return fmt.Errorf("error marshalling policy setting: %s", err)
+					}
+					policyMap["setting"] = string(settingBytes)
+				}
+
+				policyMap["type"] = p.Type
+
+				allPolicies = append(allPolicies, policyMap)
+			}
+		}
+
+		if resp.NextPageToken == "" {
+			break
+		}
+
+		policiesListCall = policiesListCall.PageToken(resp.NextPageToken)
+	}
+
+	if err := d.Set("policies", allPolicies); err != nil {
+		return fmt.Errorf("error setting policies: %s", err)
+	}
+
+	if filter, ok := d.GetOk("filter"); ok {
+		d.SetId(fmt.Sprintf("cloud-identity-policies-%s", filter.(string)))
+	} else {
+		d.SetId(fmt.Sprintf("cloud-identity-policies-%d", len(allPolicies)))
+	}
+
+	return nil
+}

mmv1/third_party/terraform/services/cloudidentity/data_source_cloud_identity_policies_test.go

@@ -0,0 +1,52 @@
+package cloudidentity_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"google.golang.org/api/cloudidentity/v1"
+)
+
+// This test uses the ListPolicies API directly in the precheck to ensure that
+// the Cloud Identity Policies API is reachable and that at least one policy
+// exists. Once CreatePolicy becomes GA and is supported, this test can be
+// updated to create a dedicated policy instead.
+func TestAccDataSourceGoogleCloudIdentityPolicies(t *testing.T) {
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.AccTestPreCheck(t)
+
+			ctx := context.Background()
+			ci, err := cloudidentity.NewService(ctx)
+			if err != nil {
+				t.Skipf("Cloud Identity service not available in this env: %v", err)
+			}
+			lst, err := ci.Policies.List().Context(ctx).PageSize(1).Do()
+			if err != nil {
+				t.Skipf("Cloud Identity Policies API not accessible in this env: %v", err)
+			}
+			if lst == nil || len(lst.Policies) == 0 {
+				t.Skip("No Cloud Identity policies found in this customer; skipping data source test.")
+			}
+		},
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: `
+				data "google_cloud_identity_policies" "test" {
+				}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					// We know at least one policy exists from the precheck, so we can
+					// assert that at least the first element in the list is populated.
+					resource.TestCheckResourceAttrSet("data.google_cloud_identity_policies.test", "policies.#"),
+					resource.TestCheckResourceAttrSet("data.google_cloud_identity_policies.test", "policies.0.name"),
+					resource.TestCheckResourceAttrSet("data.google_cloud_identity_policies.test", "policies.0.customer"),
+					resource.TestCheckResourceAttrSet("data.google_cloud_identity_policies.test", "policies.0.type"),
+				),
+			},
+		},
+	})
+}

mmv1/third_party/terraform/website/docs/d/cloud_identity_policies.html.markdown

@@ -0,0 +1,101 @@
+---
+subcategory: "Cloud Identity"
+layout: "google"
+page_title: "Google: google_cloud_identity_policies"
+sidebar_current: "docs-google-data-cloud-identity-list-policies"
+description: |-
+  Use this data source to list Cloud Identity policies.
+---
+
+# google_cloud_identity_policies
+
+Use this data source to list Cloud Identity policies.
+
+## Example Usage
+
+```hcl
+data "google_cloud_identity_policies" "all" {
+    # Example filter (optional)"
+    # filter = "customer == \"customers/my_customer\" &&
+    # setting.type.matches('^settings/gmail\\..*$')"
+}
+
+// The name of the first policy in the list of policies
+output "first_policy_name" {
+  value = data.google_cloud_identity_policies.all.policies[0].name
+}
+
+// The customer to whom the first policy belongs to. This will always be the
+// same across multiple policies as well.
+output "first_policy_customer" {
+  value = data.google_cloud_identity_policies.all.policies[0].customer
+}
+
+// The CEL query of the first policy
+output "policy_query_query" {
+  value = data.google_cloud_identity_policies.all.policies[0].policy_query[0].query
+}
+
+// The org unit the first policy applies to
+output "policy_query_org_unit" {
+  value = data.google_cloud_identity_policies.all.policies[0].policy_query[0].org_unit
+}
+
+// The group the first policy applies to
+output "policy_query_group" {
+  value = data.google_cloud_identity_policies.all.policies[0].policy_query[0].group
+}
+
+// The sort order of the first policy
+output "policy_query_sort_order" {
+  value = data.google_cloud_identity_policies.all.policies[0].policy_query[0].sort_order
+}
+
+// The setting of the first policy as a JSON string
+output "policy_setting" {
+  value = data.google_cloud_identity_policies.all.policies[0].setting
+}
+
+// The type of policy - ADMIN/SYSTEM
+output "policy_type" {
+  value = data.google_cloud_identity_policies.all.policies[0].type
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+*   `filter` - (Optional) Filter expression for listing policies, as documented in the Cloud Identity Policy API policies.list method.
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+*   `policies` - List of Cloud Identity policies that match the filter (or all policies if no filter is provided). Structure is documented below.
+
+---
+
+The `policies` block contains:
+
+*   `name` - The resource name of the policy.
+
+*   `customer` - The customer that the policy belongs to.
+
+*   `policy_query` - A list containing the CEL query that defines which entities the policy applies to. Structure is documented below.
+
+*   `setting` - The setting configured by this policy, represented as a JSON string.
+
+*   `type` - The type of the policy.
+
+---
+
+The `policy_query` block contains:
+
+*   `query` - The query that defines which entities the policy applies to.
+
+*   `group` - The group that the policy applies to.
+
+*   `org_unit` - The org unit that the policy applies to.
+
+*   `sort_order` - The sort order of the policy.